Adaptive Shield - Data Processing Agreement

8. Sub Processing

8.1 Controller authorizes Processor to appoint (and permits each Sub Processor appointed in accordance with this Section ‎8 to appoint) Sub Processors in accordance with this Section 8.

8.2 Processor may continue to use those Sub Processors already engaged by Processor as of the date of this DPA, a list of which is available at https://www.adaptive-shield.com/sub-processors.

8.3 Processor may appoint new Sub Processors and shall give notice of any such appointment to Controller. If, within seven (7) days of such notice, Controller notifies Processor in writing of any reasonable objections to the proposed appointment, Processor shall not appoint the proposed Sub Processor for the Processing of Controller Personal Data until reasonable steps have been taken to address the objections raised by Controller and Controller has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Controller’s reasonable objections, each of Controller or Processor may, by written notice to the other party and with immediate effect, terminate the Agreement to the extent that it relates to the Services requiring the use of the proposed Sub Processor. In such event, the terminating party shall not bear any liability for such termination.

8.4 With respect to each new Sub Processor, Processor shall:

8.4.1 Prior to the Processing of Controller Personal Data by Sub Processor, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that Sub Processor is committed and able to provide the level of protection for Controller Personal Data required by this DPA; and

8.4.2 ensure that the arrangement between the Processor and the Sub Processor is governed by a written contract, including terms that offer a materially similar level of protection for Controller Personal Data as those set out in this DPA and meet the requirements of Applicable Law.

8.5 Processor shall remain fully liable to the Controller for the performance of any Sub Processor’s obligations.

9. Data Subject Rights

9.1 Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Processor shall, at Controller’s sole expense, use commercially reasonable efforts to assist Controller in fulfilling Controller’s obligations with respect to such Data Subject requests, as required under Data Protection Laws.

9.2 Upon receipt of a request from a Data Subject under any Data Protection Laws in respect to Controller Personal Data, Processor shall promptly notify Controller of such request and shall not respond to such request except on the documented instructions of Controller or as required by Data Protection Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by Data Protection Laws, inform Controller of such legal requirement prior to responding to the request.

10. Data Protection Impact Assessment and Prior Consultation

At Controller’s written request and expense, the Processor and each Sub Processor shall provide reasonable assistance to Controller with respect to any Controller Personal Data Processed by Processor and/or a Sub Processor, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any Data Protection Laws.

11. Deletion or Return of Controller Personal Data

Processor shall promptly and in any event within 60 (sixty) days of the date of cessation of provision of the Services to Controller involving the Processing of Controller Personal Data, delete, return, or anonymize all copies of such Controller Personal Data, provided however that Processor may retain Controller Personal Data, as permitted by applicable law. Notwithstanding the foregoing, Controller acknowledges that, due to the type of service provided, Processor is unable to support a request of a data subject to delete or correct its Personal Data, as part of and during provision of its services to Controller. For the avoidance of doubt, retention of the logs and the inability to amend or delete the logs is considered part of Processor’s services to Controller.

12. Audit Rights

We may update this Privacy Notice from time to time to keep it up to date with legal requirements and the way we operate our business, and we will place any updates on this webpage. Please come back to this page every now and then to make sure you are familiar with the latest version. If we make material changes to this Privacy Notice, we will seek to inform you by notice on our Site or per email.

12.1 Subject to Sections ‎12.2 and ‎‎12.3, Processor shall make available to an auditor mandated by Controller in coordination with Processor, upon prior written request, such information reasonably necessary to demonstrate compliance with this DPA and shall allow for audits, including inspections, by such reputable auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Processor, provided that such third-party auditor shall be subject to confidentiality obligations.

12.2 Any audit or inspection shall be at Controller’s sole expense, subject to the terms of the Agreement, and subject to Processor’s reasonable security policies and obligations to third parties, including with respect to confidentiality. The results of any audit or inspection shall be considered the confidential information of the Processor and shall be treated with the same degree of care as Controller affords its own confidential information and/or in accordance with the confidentiality provisions under the Agreement, as applicable.

12.3 Controller and any auditor on its behalf shall use best efforts to minimize or avoid causing any damage, injury or disruption to the Processors’ premises, equipment, employees and business and shall not interfere with the Processor’s day-to-day business. Controller and Processor shall mutually agree upon the scope, timing and duration of the audit or inspection and the reimbursement rate, for which Controller shall be responsible. Processor need not give access to its premises for the purposes of such an audit or inspection:

12.3.1 to any individual unless he or she produces reasonable evidence of identity and authority;

12.3.2 if Processor was not given a prior written notice of such audit or inspection;

12.3.3 outside of normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis; or

12.3.4 for the purposes of more than one (1) audit or inspection in any calendar year, except for any additional audits or inspections which:

12.3.4.1 Controller reasonably considers necessary because of genuine concern as to Processor’s compliance with this DPA; or

12.3.4.2 Controller is required to carry out by Applicable Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Applicable Law in any country or territory, where Controller has identified its concerns or the relevant requirement or request in its prior written notice to Processor of the audit or inspection.

12.3.5 Processor shall immediately inform Controller if, in its opinion, an instruction received under this DPA infringes the GDPR or other applicable Data Protection Laws.

13. Limitation of Liability

Controller shall indemnify and hold Processor harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Processor and arising directly or indirectly out of or in connection with a breach of this DPA and/or the Data Protection Laws by Controller. Each party’s liability toward the other party shall be subject to the limitations on liability under the Agreement.

14. General Terms

14.1 Governing Law and Jurisdiction The parties to this DPA hereby agree that the competent courts in Ireland shall have exclusive jurisdiction regarding all disputes hereunder, and the parties expressly consent to such jurisdiction. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of Ireland. To the extent that the Standard Contractual Clauses apply, the above-mentioned jurisdiction shall be deemed the jurisdiction specified in Clause 17 of the Standard Contractual Clauses, provided that such law allows for third-party beneficiary rights.

14.2 Notwithstanding the foregoing in this Section ‎14.1, parties to this DPA hereby agree that the competent courts in California shall have exclusive jurisdiction regarding all disputes hereunder relating solely to the CCPA, and the parties expressly consent to such jurisdiction.

14.3 Order of Precedence

14.3.1 Nothing in this DPA reduces Processor’s obligations under the Agreement in relation to the protection of Controller Personal Data or permits Processor to Process (or permit the Processing of) Controller Personal Data in a manner that is prohibited by the Agreement.

14.3.2 This DPA is not intended to, and does not in any way limit or derogate from Controller’s obligations and liabilities towards the Processor under the Agreement and/or pursuant to Data Protection Laws or any law applicable to Controller in connection with the collection, handling and use of Controller Personal Data by Controller or other processors or their sub processors, including with respect to the transfer or provision of Controller Personal Data to Processor and/or providing Processor with access thereto.

14.3.3 Subject to this Section ‎14.3, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail. In the event of inconsistencies between the provisions of this DPA and the Standard Contractual Clauses (to the extent they apply), the Standard Contractual Clauses shall prevail.

14.4 Changes in Data Protection Laws

14.4.1 Controller may, by at least 45 (forty five) calendar days’ prior written notice to Processor, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under any Data Protection Laws in order to allow Controller Personal Data to be Processed (or continue to be Processed) without breach of that Data Protection Laws.

14.4.2 If Controller gives notice with respect to its request to modify this DPA under Section ‎‎14.3.1, (i) Processor shall make commercially reasonable efforts to accommodate such modification request and (ii) Controller shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein.

14.5 Severance Should any provision of this DPA be held invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.